Following Controversy, Yahoo Officially Launches Bug Bounty Program

As promised, Yahoo formally kicked off its bug bounty program late last week, aiming to correct what many in the security industry viewed as misstep after it handed out a paltry $12.50 credit to a researcher for discovering a cross-site scripting error.

The company caught flak when in September when it was reported that the $12.50 – a scant prize as it is – came as a discount code that could be used toward Yahoo-branded merchandise like t-shirts, cups and pens from its store.

Yahoo’s Security Director Ramses Martinez addressed the program’s rules in a post to its Developer Network Tumblr Thursday, joking that he hopes the program will “usher in a new, less-shirt-centric era for security at Yahoo.”

Researchers can now officially submit vulnerabilities they find in Yahoo and Flickr-branded apps and websites to the company via bugbounty.yahoo.com.

The laundry list of vulnerabilities eligible for a bounty is about on par with the lists of other websites who recently started programs of their own (Google, Facebook):

Cross-Site Scripting

SQL Injection

Open Redirect

Remote Code Execution

Cross-Site Request Forgery

Directory Traversal

Information Disclosure

Content Spoofing

Clickjacking

As Martinez acknowledged in early October, the program will reward researchers who discover a previously unknown technical vulnerability and responsibly disclose it. Researchers will be rewarded with between $250 and $15,000 depending on the severity and complexity of the issue. Martinez adds that submissions will be validated 24 hours a day and seven days a week and that members of Yahoo’s security team will personally respond to everyone who submits a bug.

As with most bug bounty programs there’s a little bit of a gray area when it comes to other vulnerabilities that may not fit into a category above. Yahoo promises it will find another way to recognize researchers’ efforts for random vulnerabilities on other Yahoo-branded sites as long as they’re not related to networking protocol issues, social engineering or found in software that is no longer supported.

Much like Facebook does with researchers who responsibly disclose issues, Yahoo will now display the names of those who report vulnerabilities on what it’s calling a “Wall of Fame.”

The company’s lack of best practices was brought to light earlier this fall when High-Tech Bridge a Swiss security firm sent along a series of XSS vulnerabilities to security@yahoo-inc.com. Each one was met with a $12.50 Yahoo store credit.

As expected, the security community was incensed and Yahoo eventually responded, rewarding High-Tech Bridge with $1,000 for the vulnerabilities and after “meetings, emails, new contacts, and tons of discussions ,“ ultimately the formation of the company’s new bug bounty program.

About Chris Brook

"Distrust and caution are the parents of security" - Benjamin Franklin

Dennis Fisher and Mike Mimoso discuss the news of the week, including the Android app-replacement vulnerability, the Windows privilege escalation bug and the Yahoo transparency report and the company’s crypto efforts.

The Final Say

There are a great many beautiful and unusual towns and cities in the world, there are volcanoes, there are valleys and canyons, and islands and lakes. There are also of course rivers: loads of them ...

One of the big trends in sphere of health and fitness are fitness trackers such as smartbands. Tracking devices and their mobile applications from three leading vendors were inspected in this report t...

Android smartphones and tablets are very popular among students for several reasons. First, they are relatively affordable. Second, they are flexible, so users can choose the most suitable set-up for ...